Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy fact sheet 15: Ten tips for protecting the personal information in your My Health Record

pdfPrintable version196.9 KB

March 2016

If you have a My Health Record or are considering whether to get one, this fact sheet explains what to consider over the lifetime of your record.

What is a My Health Record?

A My Health Record is an online summary of your health information, such as medicines you are taking, any allergies you may have and treatments you have received. It was previously known as a Personally Controlled Electronic Health Record (PCEHR) or eHealth record.

Your My Health Record allows your doctors, hospitals and other healthcare providers (such as physiotherapists) to view your health information, in accordance with your access controls. You are also able to access it online yourself.

In most parts of Australia you need to actively register for a My Health Record. However, people whose registered Medicare address is in Northern Queensland or the Nepean Blue Mountains will have a My Health Record automatically created for them by the Australian Government. If you are registered as living in either of these areas and don’t want a My Health Record, you will need to opt-out by 27 May 2016.

You can use the postcode checker on the My Health Record website to see if your registered Medicare address is in one of these areas. If it is, you should also receive a letter and brochure from the Australian Government with further information.

This fact sheet is for everyone who already has or will soon have a My Health Record and anyone else who is thinking of registering for one. This includes people whose registered Medicare address is in Northern Queensland and the Nepean Blue Mountains region.

1. Read the System Operator’s privacy statement carefully before you opt in

Make sure you understand how the information in your My Health Record can be collected, used and disclosed.

The System Operator is responsible for the operation of the My Health Record system.  You can read the privacy statement, which applies to personal information collected by the System Operator for the My Health Record system, online.

If you have any questions about this, call the System Operator on 1800 723 471.

2. Be aware of the different access settings available to you

Consider setting your access controls as soon as you register for a My Health Record or have one created for you. It’s a good idea to review them regularly, especially if your circumstances change or you begin treatment with a new healthcare provider. Check your ‘access list’ regularly to see who can access your My Health Record. If the default settings are set, you should know what they are and what they could mean for you. Think about whether you want to restrict which healthcare providers can access your record and what information is included.

3. Consider setting advanced access controls and a 'personal access code'

Advanced access controls allow you to restrict which healthcare providers can access your My Health Record. You can also restrict access to particular documents. If you set up a ‘personal access code’, healthcare providers will only be able to check if you have a My Health Record and access it if you give them your code. Personal access controls may be overridden in an emergency, if it is unreasonable or impracticable to obtain your consent.

4. Read the privacy notices and policies of your healthcare providers

Different healthcare providers will have different information management practices. For example, you can restrict which healthcare providers can see your My Health Record but you cannot restrict access by individual staff members. Find out which areas of the healthcare provider will have access to your My Health Record.

5. Talk to your healthcare providers regularly about what information they will be adding to and accessing from your My Health Record. Ask how they will involve you in this process

If you don’t want a certain document added to your My Health Record, make sure you tell your healthcare provider. If they have added a document that you don’t want on your record, ask them to remove it. If they refuse, you can remove it yourself by logging in to your record. You can later ask for it to be restored if you choose.

Documents that have been removed will still be accessible to the healthcare provider that uploaded them through their local IT system. This is because they created the documents and can access them on their own local IT system rather than specifically through your online My Health Record. They may also be retrieved for authorised purposes, such as by order of a court. However, once removed from your My Health Record, they won’t be accessible in an emergency so you should consider whether there is any information that could be needed in such a situation. It’s a good idea to discuss these issues with your healthcare provider.

6. Check your My Health Record access history regularly

Check for any unexpected or unauthorised access. The access history function identifies healthcare provider organisations that have accessed your My Health Record. However, if you want to find out the name of an individual who has accessed your record, you can request this by calling the System Operator on 1800 723 471. The system access history will only include access to your My Health Record. It will not include information about who has accessed information that has been downloaded into a healthcare provider’s local systems.

7. Check your My Health Record regularly to ensure that the documents it contains are kept accurate, up-to-date and complete

If any information is inaccurate, out-of-date or incomplete, ask the healthcare provider that uploaded the information to correct or complete it. If they disagree, you can ask them to attach a statement to the document stating what you consider to be inaccurate, out-of-date or incomplete. If you don’t feel comfortable approaching the healthcare provider directly, you can call the System Operator on 1800 723 471. If it is a private sector healthcare provider organisation that is unwilling to correct or complete your record, you can also make a complaint to the OAIC. Old versions of documents will still be retained by the system. If there are any important documents that you think should be included on your My Health Record, talk to your healthcare provider.

8. Secure your My Health Record

Make sure you set a strong password and don’t share it with anyone else. If you are accessing your My Health Record via the online consumer portal, ensure that the device and connection you use to access your  record is secure. For example, you should install reputable anti-spyware, anti-virus scanners and firewall software and avoid unsecured wi-fi networks. General advice to help you keep your information safe online is available at staysmartonline.gov.au.

9. Exercise your privacy rights

The My Health Record system is protected by the My Health Records Act 2012 (My Health Records Act). The protections in the My Health Records Act are in addition to those under existing privacy legislation. Once information is downloaded into a healthcare provider’s local records, existing privacy legislation will apply. There are civil and criminal penalties for individuals and healthcare provider organisations who don’t comply with the My Health Records Act. If you suspect that the information in your My Health Record may have been mishandled, you can complain to the entity involved or call the System Operator on 1800 723 471. If you’re not happy with their response, you can complain to the OAIC.

10. Remember you can choose to cancel at any time

If you decide to cancel your My Health Record, call the System Operator on 1800 723 471 and ask to have your record deactivated. It can be reactivated again later if you choose.

If you cancel your My Health Record, no one will be able to see it (including yourself) and no further information can be added onto it.

Information in the cancelled record will be stored by the System Operator until 30 years after your death, or 130 years after your date of birth (if the date of death is unknown).

More information

For more information on the OAIC’s role in the My Health Record system, please see the OAIC’s Privacy fact sheet 18: The OAIC and the My Health Record system